from the incredible dept

Ars Technica's Cyrus Farivar filed a FOIA request for the Passenger Name Records (PNRs) that had been stored by the federal government concerning his own travel history. PNRs are created by travel companies (airlines, hotels, cruise lines) whenever you book a reservation, and are then handed over to the government. After an appeal, Customs and Border Patrol turned over the records, showing that airlines (1) record a ton of information about you every time you book a flight and (2) hand over all that information to the government. Bizarrely, this includes the credit card number and IP address you used to book your travel, and it appears that the airlines and the US government are ignoring the most basic of cybersecurity protections in that they store the credit card info in the clear.

The fourth line in the record above is Farivar's (long-expired and changed) full credit card. While it may not seem like a huge surprise that the government is basically snooping on everything you tell the airlines (including seat changes, food preferences, any special assistance you might need, etc.), it's stunning that they're passing around and storing credit card info in the clear.

Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.

“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”

Farivar also notes that the CBP publicly states that the info is kept for five years, but his own records go back to March of 2005 -- suggesting that the CBP is hanging onto all this info for a lot longer. Of course, as we've seen in the past, if there's one government agency that appears to be able to get away with anything with absolutely no oversight at all, it's Customs and Border Patrol. However, this seems like a fairly serious problem. Beyond the 4th Amendment questions it raises about why they're getting all this information on Americans, it seems like they're creating a much bigger security risk in storing (and passing around) all such info in the clear.

from the privacy-matters dept

There's been an ongoing discussion between the US and Europe (and other countries as well) about the US's demands that anyone flying to the US should have all sorts of data passed along to the US first. And while an agreement has been made, apparently the rapporteur in charge of examining this issue of sending passenger data to the US, Sophie in't Veld, is now urging the EU to reject the agreement.

The key issue appears to be that the details of the current agreement violate existing European rights and rules -- including the fact that the US will retain this data forever (contrary to some claims that it would just be held for 15 years -- which was already problematic). Apparently, the agreement goes so far as to give US law enforcement a direct login to European computer systems, so they can sift through reservation data at will. Basically, this is yet another case of US law enforcement overreaching in what it wants to be able to spy on, and just assuming that everyone will go along with it, despite a lack of clear reason for why. Now, what remains is whether or not EU officials will give in.